Learn additional uses for Cisco IOS access control lists

Network administrators typically use access control lists (ACLs) to stop traffic or permit only specified traffic while stopping all other traffic. While this is the primary use of ACLs, there are many more possible uses that admins don't always think about. David Davis explores the various uses of ACLs on a Cisco router.

If you're a network administrator, you need to be familiar with
access control lists (ACLs). Admins typically use ACLs to stop traffic or
permit only specified traffic while stopping all other traffic. (While some
people might refer to an ACL as a firewall, it's
really only a firewall in its most basic form. Technically, it's a packet
filter.)

The primary use of ACLs is to manage traffic, but there are
many more uses for ACLs that many people just don't think about. This week,
let's look at the many uses for ACLs.

Control traffic flow

Of course, you can use ACLs to control traffic flow, as mentioned
above. What you need to remember about this is the "one-per" rule. That
means that you can have one ACL per
interface per direction per protocol.

So, each interface can have only one ACL for each direction
for each protocol. Let's look at an example of a common ACL. The following ACL
denies certain traffic, but it permits all other IP traffic.

This ACL denies ICMP traffic. But how does this ACL deny all
ICMP traffic when there's no actual mention of ICMP? In an ACL, if you don't
specifically permit something, the ACL will automatically deny it.

So, if you want to allow ICMP (for example, ping) to also
flow across this link, you need to add the following statement:

Router(config)# access-list 100 permit icmp any any

When working with ACLs, a very useful option is the log keyword. If you want to log all
traffic coming across the link, use the following:

Allow IP traffic only after authentication

Also known as the lock-and-key
feature, dynamic ACLs require someone to Telnet to the router and successfully
authenticate. This process dynamically creates an ACL to temporarily allow some
traffic to pass through the router. For more information, see Cisco's Lock-and-Key
Commands documentation.

Debug traffic

What happens if you use the debug ip packet command on a router? Don't try it! This command can actually bring an entire production
router down.

However, when used properly, this command can be a very helpful
tool. For example, you can use debug ip
packet with an ACL. And, you can even ask for details.

So, let's say you want to view only traffic from host
1.1.1.1 to host 2.2.2.2 that was using port 80. Being
very careful, you could see it using debug
ip packet and an ACL. Here's an example:

In this example, you have a rudimentary packet sniffer that
gives information on TCP port number (src/dest), sequence number, ack, window,
and flag information. In addition, this is for the entire router—not just a
single interface.

Show routes matching an ACL

A large production router often sports a very long list of
routes. However, you can use an ACL to filter these routes. Here's an example:

Filter routing updates

You can also use ACLs to filter routing updates, which you
can accomplish using distribute lists. Distribute lists tell the router which routes
to accept or deny from remote neighbors. They also tell the router which routes
to send out and which ones not to send out to remote neighbors.

Control access to the router

Let's say you want to specify which IP addresses or networks
can connect to your router via Telnet or Web access. You can use an ACL to define
those IP addresses or networks and then use an access class to tell the
application which ACL to use. Below are examples for both HTTP and Telnet:

Throttle down traffic

Or, let's say you want to slow HTTP traffic to use only 128K
of bandwidth on a T1 circuit. You can use a rate limit to accomplish this. But
how does the rate limit know what traffic to throttle down? You guessed it—an
ACL. Listing A offers an example.

More uses

Because of space constraints and other limitations, it's not
possible to address every use for ACLs in the Cisco IOS, but I wanted to
mention a few you may not have thought of. You can also use ACLs when
configuring IPSec VPN tunnels, network address translation (NAT), and policy
routing.

There are many more uses for ACLs than the ones listed in
this article. How do you use ACLs on your Cisco devices? Post your additional
uses in this article's discussion.

David Davis has worked
in the IT industry for 12 years and holds several certifications, including
CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of
systems/network administrators for a privately owned retail company and
performs networking/systems consulting on a part-time basis.